Palo Alto Training
Palo Alto - Initial Build Reference Sheet
Strata PA- Series - ML Powered Next Generation Firewall - App-ID, User-ID, Content-ID, Device-ID
VM Series - Virtual Next-Generation Firewall - App-ID, User-ID, Content-ID, Device-ID
CN Series - Containerized Next generation firewall - App-ID, User-ID, Content-ID, Device-ID
Panaroma - Firewall Management
Prisma Access - Secure Access - Service EdgePrisma Cloud - Cloud Native Security PlatformPrisma SD-WAN
Cortex XDR - Extended Detection and ResponseCortex XSOARExpense Crypsis
Cloud Content Delivery Services (Content-ID)DNS SecurityThreat PreventionURL FilteringWild FireIoT Security
Global ProtectSD-WANData Lost PreventionPrisma SaaS
Modules
- Security Platform and Architecture
- Initial Configuration
- Interface Configuration
- Security and NAT Policies
- App-ID
- Content-ID
- URL Filtering
- Decryption
- WildFire
- User-ID
- GlobalProtect
- Site to Site VPNs
- Monitoring and Reporting
- Active/Passive High Availability
- Security Practices
2 ways to access PA-220GUI - httpsCLI - console, telnet UID/password: admin/admin
Console - uid/password admin>configuration# set deviceconfig system type static # set deviceconfig system ip-address 192.168.10.1 netmask 255.255.255.0# commit
License /Register device/feature set allowedPalo Alto Portal https://support.paloaltonetworks.com/Support/IndexLogin to Customer Support account Assets
Management settings<Device><setup><Management><General Settings> <gear>hostname:Domain:Time
Strata PA- Series - ML Powered Next Generation Firewall
- App-ID, User-ID, Content-ID, Device-ID
VM Series - Virtual Next-Generation Firewall
- App-ID, User-ID, Content-ID, Device-ID
CN Series - Containerized Next generation firewall - App-ID, User-ID, Content-ID, Device-ID
Panaroma - Firewall Management
Prisma Access - Secure Access - Service Edge
Prisma Cloud - Cloud Native Security Platform
Prisma SD-WAN
Cortex XDR - Extended Detection and Response
Cortex XSOAR
Expense
Crypsis
Cloud Content Delivery Services (Content-ID)
DNS Security
Threat Prevention
URL Filtering
Wild Fire
IoT Security
Global Protect
SD-WAN
Data Lost Prevention
Prisma SaaS
Modules
- Security Platform and Architecture
- Initial Configuration
- Interface Configuration
- Security and NAT Policies
- App-ID
- Content-ID
- URL Filtering
- Decryption
- WildFire
- User-ID
- GlobalProtect
- Site to Site VPNs
- Monitoring and Reporting
- Active/Passive High Availability
- Security Practices
2 ways to access PA-220
GUI - https
CLI - console, telnet
UID/password: admin/admin
Console - uid/password admin
>configuration
# set deviceconfig system type static
# set deviceconfig system ip-address 192.168.10.1 netmask 255.255.255.0
# commit
License /Register device/feature set allowed
Palo Alto Portal https://support.paloaltonetworks.com/Support/Index
Login to Customer Support account
Assets
Management settings
<Device><setup><Management><General Settings> <gear>
hostname:
Domain:
Time
General system health
show system info –provides the system’s management IP, serial number and code version
show system statistics – shows the real time throughput on the device
show system software status – shows whether various system processes are running
show jobs processed – used to see when commits, downloads, upgrades, etc. are completed
show system disk--space-- show percent usage of disk partitions
show system logdb--quota – shows the maximum log file sizes
debug dataplane internal vif link – show management interface (eth0) counters
show system statistics – shows the real time throughput on the device
show system software status – shows whether various system processes are running
show jobs processed – used to see when commits, downloads, upgrades, etc. are completed
show system disk--space-- show percent usage of disk partitions
show system logdb--quota – shows the maximum log file sizes
debug dataplane internal vif link – show management interface (eth0) counters
MGT Interface
# set deviceconfig system ip-address
Admin Password
# set mgt-config users admin password
DNS
# set deviceconfig system dns-setting servers
NTP # set deviceconfig system ntp-servers
Interfaces # set network interface
System settings # set deviceconfig system
Zones # set zone <name>
# set vsys <name> zone <name>
Example Via Console
set system ztp disable
set cli config-output-format set
configure
set deviceconfig system ip-address 100.105.37.87
set deviceconfig system netmask 255.255.255.0
set deviceconfig system default-gateway 100.105.37.1
set deviceconfig system hostname myfw-01
set deviceconfig system dns-setting servers primary 8.8.8.8
set deviceconfig system dns-setting servers primary 26.18.76.16
set deviceconfig system dns-setting servers secondary 8.8.8.8
set deviceconfig system timezone US/Eastern
set deviceconfig system netmask 255.255.255.0
set deviceconfig system default-gateway 100.105.37.1
set deviceconfig system hostname myfw-01
set deviceconfig system dns-setting servers primary 8.8.8.8
set deviceconfig system dns-setting servers primary 26.18.76.16
set deviceconfig system dns-setting servers secondary 8.8.8.8
set deviceconfig system timezone US/Eastern
commit
Validation Ping Test
ping source x.x.x.x host x.x.x.x
test arp gratuitous ip x.x.x.x interface ethernetx/x
ping a couple of the static Ips from the LAN
admin@my-intro-fw101> show system info | match serial
serial: 012309002370
admin@my-intro-fw101> show interface management
test arp gratuitous ip x.x.x.x interface ethernetx/x
ping a couple of the static Ips from the LAN
admin@my-intro-fw101> show system info | match serial
serial: 012309002370
admin@my-intro-fw101> show interface management
Security Profiles HIP Objects/Profiles
URL Filtering Profiles
WildFire Analysis Profiles
# set profiles
# set vsys <name> profiles
# set shared profiles
Server Profiles
# set server-profile
# set vsys <name> server-profile
# set shared server-profile
Authentication Profiles
# set authentication-profile
# set vsys <name> authentication-profile
# set shared authentication-profile
Certificate Profiles
# set certificate-profile
# set vsys <name> certificate-profile
# set shared certificate-profile
Policy
# set rulebase
# set vsys vsys1 rulebase
Log Quotas
# set deviceconfig setting management quota-settings
User-ID
# set user-id-agent
# set vsys <name> user-id-agent
# set user-id-collector
# set vsys <name> user-id-collector
HA # set deviceconfig high-availability
AutoFocus Settings # set deviceconfig setting autofocus
WildFire Settings # set deviceconfig setting wildfire
Panorama # set deviceconfig system panorama-server
Restart > request restart system
To monitor CPUs
show system resources -- shows processes running in the management plane similar to “top” command
show running resource--monitor – used to see the resource utilization in the data plane, such as dataplane CPU utilization
less mp--log mp--monitor.log – Every 15 minutes the system runs a script to monitor management plane resource usage, output is stored in this file.
less dp--log dp--monitor.log -- Every 15 minutes the system runs a script to monitor dataplane resource usage, output is stored in this file.
General dropped packet troubleshooting
ping source <IP_addr_src_int> host <IP_addr_host> -- allows to ping from the specified FW source interface
ping host <IP> -- ping from the MGT interface
show session all | match – used to show specific sessions in the session table. You can
enter any text after the word match. A good example would be a source or destination IP or an application
show session all | filter destination <IP> dest--port <port>-- shows all sessions going to a particular dest IP and port
show session id – shows the specifics behind a particular session by entering the ID number after the word "id”
show counter interface – shows interface counters
show counter global | match drop – used to troubleshoot dropped packets
show counter global delta yes | match [ drop | error | frag ] – show counter changes
since last time ran this command, filter on particular keyword
NAT
show running nat--policy-- shows current NAT policy table
show running ippool-- use to see if NAT pool leak
test nat--policy--match – simulate traffic going through the device, what NAT policy will it match?
Routing
show routing route – displays the routing table
test routing fib--lookup virtual--router <VR_name> ip <IP_addr_trying_reach> -- finds which route in the routing table will be used to reach the IP address that you are testing
Policies
show running security--policy – shows the current policy set
test security--policy--match from trust to untrust destination <IP>-- simulate a packet going through the system, which policy will it match?
PAN Agent
show user pan--agent statistics – used to see if the agent is connected and operational. Status should be connected OK and you should see numbers under users, groups and IPs.
show pan--agent user--IDs -- used to see if the FW has pulled groups from the PANAgent
show user ip--user--mapping – used to see IP to username mappings on the FW
clear user--cache all – clears the user--ID cache
debug device--server reset pan--agent <name> -- reset the firewall’s connection to the specified agent
URL
test url <url or IP> – used to test the categorization of a URL on the FW
tail follow yes mp--log pan_bc_download.log – shows the BrightCloud database update logs
request url--filtering download status – shows the status of the database download (essentially the very last line from the pan_bc_download.log file)
debug dataplane show url--cache statistics– shows statistics on the URL cache
show counter global | match url – shows statistics on URL processing
clear url--cache – used to clear the URL cache-- cache contains 100k of the most popular URLs on this network
show log url direction equal backward-- view the URL log, most recent entries first
To test connectivity to the BrightCloud servers:
ping host service.brightcloud.com
ping host database.brightcloud.com
Log viewing / deleting1
show log [ system | traffic | threat ] direction equal backward – will take you to the end of the specified log
show log [ system | traffic | threat ] direction equal forward – will take you to beginning of the specified log
clear log [ traffic | threat | acc ] – clear everything in the specified log
show system resources -- shows processes running in the management plane similar to “top” command
show running resource--monitor – used to see the resource utilization in the data plane, such as dataplane CPU utilization
less mp--log mp--monitor.log – Every 15 minutes the system runs a script to monitor management plane resource usage, output is stored in this file.
less dp--log dp--monitor.log -- Every 15 minutes the system runs a script to monitor dataplane resource usage, output is stored in this file.
General dropped packet troubleshooting
ping source <IP_addr_src_int> host <IP_addr_host> -- allows to ping from the specified FW source interface
ping host <IP> -- ping from the MGT interface
show session all | match – used to show specific sessions in the session table. You can
enter any text after the word match. A good example would be a source or destination IP or an application
show session all | filter destination <IP> dest--port <port>-- shows all sessions going to a particular dest IP and port
show session id – shows the specifics behind a particular session by entering the ID number after the word "id”
show counter interface – shows interface counters
show counter global | match drop – used to troubleshoot dropped packets
show counter global delta yes | match [ drop | error | frag ] – show counter changes
since last time ran this command, filter on particular keyword
NAT
show running nat--policy-- shows current NAT policy table
show running ippool-- use to see if NAT pool leak
test nat--policy--match – simulate traffic going through the device, what NAT policy will it match?
Routing
show routing route – displays the routing table
test routing fib--lookup virtual--router <VR_name> ip <IP_addr_trying_reach> -- finds which route in the routing table will be used to reach the IP address that you are testing
Policies
show running security--policy – shows the current policy set
test security--policy--match from trust to untrust destination <IP>-- simulate a packet going through the system, which policy will it match?
PAN Agent
show user pan--agent statistics – used to see if the agent is connected and operational. Status should be connected OK and you should see numbers under users, groups and IPs.
show pan--agent user--IDs -- used to see if the FW has pulled groups from the PANAgent
show user ip--user--mapping – used to see IP to username mappings on the FW
clear user--cache all – clears the user--ID cache
debug device--server reset pan--agent <name> -- reset the firewall’s connection to the specified agent
URL
test url <url or IP> – used to test the categorization of a URL on the FW
tail follow yes mp--log pan_bc_download.log – shows the BrightCloud database update logs
request url--filtering download status – shows the status of the database download (essentially the very last line from the pan_bc_download.log file)
debug dataplane show url--cache statistics– shows statistics on the URL cache
show counter global | match url – shows statistics on URL processing
clear url--cache – used to clear the URL cache-- cache contains 100k of the most popular URLs on this network
show log url direction equal backward-- view the URL log, most recent entries first
To test connectivity to the BrightCloud servers:
ping host service.brightcloud.com
ping host database.brightcloud.com
Log viewing / deleting1
show log [ system | traffic | threat ] direction equal backward – will take you to the end of the specified log
show log [ system | traffic | threat ] direction equal forward – will take you to beginning of the specified log
clear log [ traffic | threat | acc ] – clear everything in the specified log
No comments:
Post a Comment